Follow:

 

TrojanDownloader:Win32/Poison.A


TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.

Installation

TrojanDownloader:Win32/Poison.A may be installed by other malware. When run, the trojan executes its file downloading payload.

Payload

Downloads malware
The trojan connects to a compromised website to retrieve non-executable data in the following example hexadecimal format:

The trojan injects the downloaded hex code into its own running process and copies itself to the Windows system folder as "misys.exe". The new file is a variant of Win32/Poison.

Additional information

For more information about Win32/Poison, see the description elsewhere in the encyclopedia.

Analysis by Daniel Radu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>\misys.exe

    Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
  • Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.117.1242.0
Latest detected by definition: 1.117.1242.0 and higher
First detected on: Dec 16, 2011
This entry was first published on: Dec 16, 2011
This entry was updated on: Feb 21, 2012

This threat is also detected as:
  • Win-Trojan/Jorik.20480.K (AhnLab)
  • TR/Agent.20480.114 (Avira)
  • Win32.HLLW.Autoruner1.11186 (Dr.Web)
  • Trojan.Win32.Jorik.PoisonIvy.rr (Kaspersky)
  • Troj/DwnLdr-JNS (Sophos)
  • BKDR_POISONDLD.A (Trend Micro)